Dual ISP with NAT Trouble

Answered Question
Aug 20th, 2012
User Badges:

I am hoping someone can throw me a life jacket on this small dilemma.  I am trying to configure dual ISPs with an ASA.  I have followed the guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml and the failover occurs seamlessly but I feel there is a step missing from the guide: dual NAT.


When the failover occurs traffic still dies at the ASA because it is unable to find a NAT pool for the backup ISP interface (and backup ISP IPs).  And, I have yet to find a way to program a second NAT rule that falls over to that backup interface when the primary outside fails.


Help would be greatly appreciated!


Below is a diagram of the layout with both ISP router and active/standby ASAs for your reference:

cisco question diagram.png

Correct Answer by Karsten Iwen about 4 years 12 months ago

With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.

That is also mentioned in the guide:


global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0


For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Karsten Iwen Mon, 08/20/2012 - 14:17
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

With the guide you followed, you are running a version <8.3 on your ASA? Then you have to take your global commands and configure them again with the backup-interface and the IP-range that belongs to the backup ISP.

That is also mentioned in the guide:


global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0


For the nat-statement you have two globals with the same NAT-ID pointing to both outgoing interfaces. The example works with interface-PAT, but you can use your NAT-range or PAT-IP instead of the keyword "interface".



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Derron Carstensen Mon, 08/20/2012 - 15:08
User Badges:

That was it... I was trying to use two globals with different NAT IDs.  Just had to modify the backup one to use the same ID and it tested successfully.  Thanks!

Actions

This Discussion

Related Content